Archive for the ‘IM Worm’ Category

Mariposa Wings Clipped

Tuesday, March 2nd, 2010

Spanish law enforcement nabbed three operators of the Mariposa botnet:  “Authorities identified them by their Internet handles and their ages: “netkairo,” 31; “jonyloleante,” 30; and “ostiator,” 25.”

The massive infection rate described in the article presents just another reason why you need our quiet ThreatFire product protecting your workstation. On a weekly basis, thousands of updated ThreatFire-protected systems were attacked and protected from variants of the bots with a feature we call “behavioral recognition”. It is far superior to AV file scanner signatures and definitively identifies the behavior of malware families like the bots that were a part of the Mariposa botnet. Problems with signature based AV scanner recognition and various Mariposa variant bots were described in a technical paper here.

Pilleuz

If you saw a red dialog from ThreatFire warning that it is protecting your system from “Worm.Palevo” or “W32.Pilleuz”, your system was protected from becoming another one of over 12 million Mariposa victims.

Posted in Bot, Crimeware, Evasion technique, IM Worm, Malware Counts, Obfuscation, Password stealing, Uncategorized, Worm | 1 Comment »

Windows Security Center and Virus (I-Worm.Trojan.b)

Tuesday, May 12th, 2009

What is a virus i-worm trojan anyways? Well, it’s not a legitimate detection with a valid CARO name, it’s gibberish to lead a user to “Click ‘Ok’ to Install System Security Antivirus”, either on XP:

Or with a more sleek look on Vista:

The distributors of System Security Antivirus, another rogueware or FakeAv product, are redirecting Turkish users to a site encouraging them to download the malware with a familiar scheme: To watch this video you must have the Flash Player installed.
It appears that the group is worming through Windows Live Messenger to attract downloads in increasing prevalence. We’ll be investigating it in depth and posting details here.

The phony video page this time appears in Turkish, hosted on a Turkish server:
“Flash Player version uyumsuzlugu:
Tarayiciniz bu videoyu goruntuleyemiyor.
Bu videoyu izleyebilmek icin Flash Player yaziliminizin guncel olmasi gerekiyor.
Flash Player yaziliminizi guncellemek icin «Devam» butonuna tiklayiniz.”

The downloaded file, flashplayerupdate_01.exe, drops and runs advhost.exe from system32 to perform the dirty work and injects adlaunch32.dll into all newly started applications.

An interesting characteristic for the flashplayer_01 executable is its use of a spoofed, invalid digital signature, supposedly signed from Microsoft:

Conveniently, the english version of the attacking web page is hosted on the same server:


Of course, the payload appears to be a bit different, serving up a doctored install_flash_player_9.04.exe package that includes the legitimate mIRC client.

Posted in FakeAlert, IM Worm, Rogueware, Social Engineering, Worm | No Comments »

MSN Messenger Worm Continues to be a Problem

Thursday, March 19th, 2009

Spoofing video codecs and third party video player plugin upgrades have proven to be an effective way to fool users into running malware on their systems. Malware does not need to spread effectively by exploiting vulnerable and unpatched code on a system.

Another extremely common and effective technique has been convincing users that their friends are sending them pictures. Attackers will use a variety of legitimate sounding Urls, alter the icons of the files they want users to run so that executables appear to be image files, and modify filenames to appear to be image files. These sorts of techniques are very common right now.

ThreatFire is currently preventing a high number of users from running an IM worm and its accompanying downloaded bot. The worm attempts to send itself out to MSN Messenger users’ address book contacts, convincing friends that fun pictures await. This worm installs an IRCbot, adding the machine to yet another botnet. Here is a handful of files being spread at the moment:

Image.php hosted at hxxp://hi5-album.com, hxxp://hi5-foto.net, and a number of other legitimate sounding Urls redirect users to a variety of files at
hxxp://66.29.31.3(slash)~RIVUX
with file names like PIC2009-02-15-JPG.exe, PICT1321.JPG.EXE, PICT0018.JPG.EXE and the others in the screenshot above. The downloads icons appear exactly as in the screenshot above, and when extensions are turned off for known file types (a Windows explorer setting) a user may not realize that they have an executable and not an image on their system. And because of the icon tampering, they look even more like jpg and gif files.

We’ve been posting about this sort of scheme for some time now. It continues to be effective and users need to be more aware of the techniques used.

Posted in Bot, IM Worm, Social Engineering | No Comments »